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= KPls: Key Performance Indicators 
e Quantify performance 
e Important, but not enough for safety 


= SPls: Safety Performance Indicators 
e Quantify safety 
e Leading vs. Lagging SPls 
e Safety case validity SPls 
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m KPI: ee 
e Quantifiable measurement ; 
e Used to gauge statistical performance 


= KPI examples: 
e Percent correctly identified pedestrians 
e Miles between SDC self-disengagements 
e Miles between uncomfortable braking 
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= KPls can measure SDC progress 
e Metrics should improve over time 3 
e But — KPIs are wrong approach for safety 








‘ ‘ ’ EDGE CASE 
Six Sigma Isn't Enough for Safety © RESEARCH 
= KPIs help with quality 

e Are all functions working? 

e Is the functionality improving? 


e Is the fault rate decreasing? 





= Good KPIs are only the start 
e Six Sigma Quality: 99.99966% (five nines) 
— A good start; not enough for life critical functions 
e Fatal Crash Avoidance: 99.9999999996% (eleven nines) 
— Safety is 1 million times more demanding! = 8.34 sigma 
» (example: 1000 opportunities/mile, 250M miles/fatal crash, 1.50 shift) 
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Functionality (KPIs): 

e Are all the features implemented? 

e Does each feature work as intended? 
e Are all scenarios accounted for? 
e Does the product do what it is supposed to? A 


Safety: 

e Are there dangerous mis-behaviors? 
e Are there dangerous gaps in the Operational Design Domain? 

e Are there dangerous gaps in fault responses? 

e Are there dangerous defects in requirements, design, repair, etc.? 
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https://bit.ly/2MaLkfY 
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Safety Performance Indicator (SPI) © 
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mw SPI: 
e Quantifiable measurement 
e Used to gauge safety a 

e Typically: nN d 
arrival rate of adverse events —~ S D } 
compared to a risk budget = 

l= 

= Lagging SPI metrics: 
(per hour is implied) 

e Loss events (crashes) per hour 
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e Incidents (could have been a loss event) 
— Example: running a red light, driving wrong direction for lane 





Leading SPls 


=m System Level Leading SPIs: 
e Road test incidents caught by safety driver 
e Simulator (SIL/HIL) incidents 
=m Subsystem Leading SPIs: 
e Vehicle Controls: compromised vehicle stability 
e Path Planning: insufficient clearance to object 
e Perception: false negative (non-detection) 
e Prediction: unexpected object behavior 
= Lifecycle SPls: 
e Maintenance errors 
e Invalid configuration installed 
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EDGE CASE 
; Safety Case CB researc 
= System is safe because ... 
e Explanation of why 


e Evidence supporting explanation ory 
ARGUMENT 1 


e Assumptions 

m Ex.: SDC misses pedestrians because... 
e Pedestrians are detected with 3 sensor types 
e Pedestrian intent is predicted accurately 
e Path planning leaves buffer zone around them 


= SPis help detect violations of the safety case 
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EDGE CASE 
SPis and the Safety Case CB estancn 
= SPls also measure safety case assumptions 
e ODD matches the Operational Domain 
e Validation predicts operational performance 
e Maintenance performed as required 


e Correct configuration installed in vehicle 


= Example Safety Case-related SPls: 
e Appearance of assumed rare objects and events 
e Correlated diverse sensor detection faults = | ene 
e Safety related maintenance error ee 





© 2020 Philip Koopman 9 


EDGE CASE 
RESEARCH 


KPI vs. SPI Contrast 


= Distance to object: 
e KPI: average and 95* percentile clearance 
e SPI: how often SDC violates safe clearance limit 
= Sensor effectiveness: 
e KPI: detection rate, SNR per sensor 
e SPI: concurrent multi-sensor detection failure 
e SPI: loss of calibration 
= Pedestrian perception: 
e KPI: accuracy, precision, recall 
e SPI: false negative for more than <k> consecutive frames 
e SPI: previously unknown type of pedestrian encountered 
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EDGE CASE 
SPis and the Deployment Decision CB estancn 
= KPls can predict if your SDC will “work” Pam % 

e SOTIF analysis resolves many outliers 


= SPls can predict if it will work safely 
e System level SPis from simulation & testing | 44 
— At system level, an outlier could be fatal “ae 
e Subsystem SPls 
— Control, planning, prediction, perception performance SPls 
— Ability of system to detect and respond to exiting ODD 
e Safety case SPis 
— Arrival rate of “surprises” / unknown unknowns during testing 
— Arrival rate of gaps in safety case being discovered 
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Conclusions 


= SPlIs predict and monitor system safety 
e KPls: “how well do we drive’ 
e SPlis: “how often are we potentially unsafe” 
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= Different flavors of SPls 
e Lagging (e.g., crash rates) 
e Leading (e.g., simulator collisions, testing incidents) 
e Safety case SPlIs (how often is safety case invalid) 





=m Do you have SPI coverage for your system? 
e Extend SOTIF analysis beyond KPIs to include SPlIs 
e See ANSI/UL 4600 Chapter 16 on SPls 
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